CUPP Computing ASDownload PDFPatent Trials and Appeals BoardMay 28, 2020IPR2019-00368 (P.T.A.B. May. 28, 2020) Copy Citation Trials@uspto.gov Paper 26 571.272.7822 Entered: May 28, 2020 UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ TREND MICRO INC., Petitioner, v. CUPP COMPUTING AS, Patent Owner. ____________ IPR2019-00368 Patent 9,781,164 B2 ___________ Before THOMAS L. GIANNETTI, GARTH D. BAER, and SHARON FENICK, Administrative Patent Judges. GIANNETTI, Administrative Patent Judge. JUDGMENT Final Written Decision Determining All Challenged Claims Unpatentable 35 U.S.C. § 318(a) IPR2019-00368 Patent 9,781,164 B2 2 I. INTRODUCTION A. Background Trend Micro Inc. (“Petitioner”) filed a Petition requesting inter partes review of claims 1–7, 9–16, and 18 (the “challenged claims”) of U.S. Patent No. 9,781,164 B2 (Ex. 1001, the “’164 patent”). Paper 1 (“Pet.”). Patent Owner (CUPP Computing AS) filed a Preliminary Response. Paper 6 (“Prelim. Resp.”). After considering the arguments presented in Patent Owner’s Preliminary Response, we determined that the information presented in the Petition established that there was a reasonable likelihood that Petitioner would prevail with respect to at least one challenged claim. Pursuant to 35 U.S.C. § 314, we instituted this inter partes review as to all of the challenged claims and all grounds raised in the Petition. Paper 7 (“Institution Dec.”). Following institution, Patent Owner filed a Response. Paper 9 (“PO Resp.”). Subsequently, Petitioner filed a Reply (Paper 11, “Pet. Reply”) and Patent Owner filed a Sur-reply (Paper 14, “Sur-reply”). In addition, Patent Owner filed a Motion to Exclude. Paper 18. We deny that motion in a separate Order entered concurrently. We held an oral hearing on March 25, 2020, and a transcript of the hearing is included in the record. Paper 25 (“Hearing Tr.”). We have jurisdiction under 35 U.S.C. § 6. This decision is a Final Written Decision under 35 U.S.C. § 318(a). For the reasons we identify below, we determine that Petitioner has demonstrated by a preponderance of the evidence that claims 1–7, 9–16, and 18 are unpatentable. IPR2019-00368 Patent 9,781,164 B2 3 B. Related Proceedings: The parties identify the following district court proceedings concerning the ’164 patent: CUPP Cybersecurity LLC v. Trend Micro, Inc., et al., No. 3:18-cv-01251 (N.D. Tex.); CUPP Cybersecurity LLC v. Symantec Corp., No. 3:18-cv-01554 (N.D. Tex.); and Symantec Corp. v. CUPP Cybersecurity LLC, et al., No. 3:18-cv-04720 (N.D. Cal.). Pet. 1; Paper 4. C. Real Party-in-Interest The Petition identifies Trend Micro as the real party-in-interest. Pet. 1. Patent Owner in its Preliminary Response does not contest this identification. Patent Owner identifies CUPP Computing AS as the real party-in-interest. Paper 4, 1. D. The ’164 Patent The ’164 patent is titled “System and Method for Providing Network Security to Mobile Devices.” Ex. 1001, (54). The patent describes a system and method for providing network security to mobile devices. Id. at 1:25– 27. According to the patent, mobile devices are more vulnerable to attacks by malicious code when traveling outside an enterprise network. Id. at 1:55–59. The patent thus describes “a small piece of hardware [a ‘mobile security system’] that connects to a mobile device and filters out attacks and malicious code.” Id. at 2:38–42. This is illustrated in Figure 3 of the ’164 patent, which follows: IPR2019-00368 Patent 9,781,164 B2 4 Figure 3 of the ’164 patent is a block diagram of a network system. Ex. 1001, 3:63–64. Network system 300 includes desktop 305, first mobile device 310a, and second mobile device 310b. Id. at 4:41–44. First mobile device 310a is within trusted enterprise network 340 and is coupled to the enterprise’s intranet 315 via mobile security system 345a. Id. at 4:44–47. Figure 3 further shows mobile device 310c that has travelled outside trusted enterprise network 340 and is coupled to untrusted internet 330 via mobile security system 345b. Id. at 4:58–60. This mobile device may be in use by an employee of trusted enterprise network 340 who is currently on travel. Id. at 4:61–62. Security administrator 325 manages mobile security systems 345a and 345b and network security system 320 to assure that they include the most current security protection. Id. at 4:62–66. IPR2019-00368 Patent 9,781,164 B2 5 The mobile security system includes “security engines,” “security policies,” and “security data.” Id. at Fig. 5, 7:14–23. The administrator can update the security policies, data, and engines implemented on the mobile security system. Id. at 5:30–34, 11:12–14. E. Illustrative Claim The ’164 patent has 18 claims. Sixteen (claims 1–7, 9–16, and 18) are challenged in the Petition. Claims 1 and 10 are the independent claims. Claim 1 recites1: 1. A security system, comprising: [1.1] security system memory; and [1.2] a security system processor configured to: [1.3] store in the security system memory at least a portion of security code, at least a portion of a security policy, and at least a portion of security data, [1.4] the at least a portion of the security code, the at least a portion of the security policy, and the at least a portion of the security data configured to provide security services to a mobile device coupled to the security system, the mobile device having at least one mobile device processor different than the security system processor of the security system, [1.5.] the at least a portion of the security code, the at least a portion of the security policy, and the at least a portion of the security data being managed by one or more information technology (IT) administrators using an IT administrator system on a trusted enterprise network, the at least a portion of the security code, the at least a portion of the security policy, and the at least a portion of the security data being configured based on one or more policies implemented by the one or more IT administrators on the trusted enterprise network, 1 Paragraph numbering has been added. IPR2019-00368 Patent 9,781,164 B2 6 [1.6] store in the security system memory at least a portion of remote management code configured to process an update command, the update command being an instruction to update at least one of the security code, the security policy, or the security data based on one or more revised policies implemented by the one or more IT administrators on the trusted enterprise network; [1.7] receive a particular update command to update a particular one of the security code, the security policy, or the security data, the particular update command having originated from the IT administrator system and having been forwarded to the security system; and [1.8] execute the update command using the remote management code to update the particular one of the security code, the security policy, or the security data. Claim 10 is a method claim that is similar to claim 1. The parties do not distinguish between these independent claims in presenting their arguments. See infra. F. References and Other Evidence The Petition relies on the following references: 1. US Patent App. Pub. No. 2005/0260996 (Ex. 1003, “Groenendaal”) 2. US Patent App. Pub. No. 2005/0055578 (Ex. 1004, “Wright”) In addition, Petitioner has submitted a Declaration of Dr. Markus Jakobsson (Ex. 1006, “Jakobsson Decl.”), and a Supplemental Declaration of Dr. Jakobsson (Ex. 1016, “Jakobsson Supp. Decl.”). Patent Owner has submitted a Declaration of Nenad Medvidovic, Ph.D. (Ex. 2009, “Medvidovic Decl.”). In addition the parties have submitted deposition transcripts for Dr. Jakobsson (Ex. 2004, “Jakobsson I Dep.”; Ex. 2010, “Jakobsson II Dep.”) and Dr. Medvidovic (Ex. 1007, “Medvidovic Dep.”). IPR2019-00368 Patent 9,781,164 B2 7 G. Asserted Grounds of Unpatentability Petitioner asserts the challenged claims are unpatentable on the following grounds: Claims Challenged Statutory Basis2 Reference(s) 1–7, 9–16, 18 35 U.S.C. § 103 Groenendaal 1–6, 9–15, 18 35 U.S.C. § 103 Wright 1–7, 9–16, 18 35 U.S.C. § 103 Groenendaal, Wright II. PRELIMINARY MATTERS A. Level of Ordinary Skill Petitioner contends “[a] person of ordinary skill in the art at the time of the alleged invention of the ’164 patent (i.e., December 13, 2005) . . . would have had a Bachelors’ degree in computer science, electrical engineering, or a comparable field of study, plus at least two years of professional experience with computer security systems, or the equivalent.” Pet. 6 (citing Jakobsson Decl. ¶¶ 47–48). Patent Owner’s response does not provide a formulation of the person of ordinary skill. Dr. Medvdovic, however, provides the following testimony: “It is my opinion that the person of ordinary skill in the art in the field of the ‘164 Patent would be someone with a bachelor’s degree in computer science or related field, and either (1) two or more years of industry experience and/or (2) an advanced degree in computer science or related field.” Medvidovic Decl. ¶ 36. The two formulations differ only 2 Because the application from which the ’164 patent issued was filed before March 16, 2013, the pre-AIA (“America Invents Act”) versions of §§ 102 and 103 applies. Leahy-Smith America Invents Act (“AIA”), Pub. L. No. 112-29, 125 Stat. 284, 285–88 (2011). IPR2019-00368 Patent 9,781,164 B2 8 slightly. For example, Dr. Jakobsson is more specific in requiring “professional experience with computer security systems, or the equivalent.” Jakobsson Decl. ¶ 47. Petitioner’s definition is supported by credible expert testimony and is more consistent with the prior art and the patent specification before us. See Okajima v. Bourdeau, 261 F.3d 1350, 1355 (Fed. Cir. 2001) (prior art itself may reflect an appropriate level of skill). We, therefore, adopt Petitioner’s description. However, we would reach the same result under either formulation B. Claim Construction The Board applies the same claim construction standard as that applied in federal courts. 42 C.F.R. §100(b)(2019). See Changes to the Claim Construction Standard for Interpreting Claims in Trial Proceedings Before the Patent Trial and Appeal Board, 83 Fed. Reg. 51,340 (Oct. 11, 2018). In this context, claim terms “are generally given their ordinary and customary meaning” as understood by a person of ordinary skill in the art in question at the time of the invention. Phillips v. AWH Corp., 415 F.3d 1303, 1312–13 (Fed. Cir. 2005) (en banc). “In determining the meaning of the disputed claim limitation, we look principally to the intrinsic evidence of record, examining the claim language itself, the written description, and the prosecution history, if in evidence.” DePuy Spine, Inc. v. Medtronic Sofamor Danek, Inc., 469 F.3d 1005, 1014 (Fed. Cir. 2006) (citing Phillips, 415 F.3d at 1312–17). Extrinsic evidence is “less significant than the intrinsic record in determining the legally operative meaning of claim language.” Phillips, 415 F.3d at 1317 (internal quotes and citation omitted). IPR2019-00368 Patent 9,781,164 B2 9 In this section we construe several key terms. Additional constructions will be discussed as necessary in our analysis of the prior art. 1. “a security policy” Petitioner initially requested construction of the term “a security policy,” appearing in independent claims 1 and 10. Pet. 7. Petitioner contended that “a security policy” should be construed to mean “one or more security policies.” Id. at 7–8. Patent Owner did not oppose this proposed construction. Instead, Patent Owner asserted that the Board “need not determine whether the term ‘a security policy’ is limited to the singular.” Prelim. Resp. 5. While we saw merit in Petitioner’s construction, we agreed also with Patent Owner that we do not need to construe this term. See Institution Dec. 8 (“Only terms that are in controversy need to be construed, and then only to the extent necessary to resolve the controversy,” citing Vivid Techs., Inc. v. Am. Sci. & Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999); Nidec Motor Corp. v. Zhongshan Broad Ocean Motor Co., 868 F.3d 1013, 1017 (Fed. Cir. 2017)). We have not been asked to revisit this decision post-institution, nor do we see any need to do so to resolve a controversy. 2. “provide security services to a mobile device” Neither party initially requested construction of this limitation, appearing in claims 1 and 10. However, because Patent Owner based its opposition to institution in part on the alleged failure of the references to disclose this feature (see Prelim. Resp. 13, 19), we provided a construction in our Institution Decision as necessary to our evaluation of this argument. Institution Dec. 8. IPR2019-00368 Patent 9,781,164 B2 10 Patent Owner contended in the Preliminary Response that Groenendaal failed to meet this limitation, in part, because “Groenendaal teaches transferring [Groenendaal’s security and configuration] profiles, or aspects thereof, to the mobile device such that any services provided by these profiles are provided on and by the mobile device itself.” Prelim. Resp. 14. Patent Owner made a similar argument for Wright. Id. at 20–21 (“[R]ather than policies stored in the memory of Wright’s server system being ‘configured to provide security services to a mobile device coupled to the security system,’ Wright’s mobile devices simply receive the stored policies and execute them.”). We concluded that “[i]mplicit in [Patent Owner’s] arguments is a construction of ‘provide security services’ that does not encompass the distribution of security information to the mobile device, without more.” Institution Dec. 9. We were not persuaded that such a narrow construction was warranted. Id. We reasoned that the term “security services” does not appear in the written description of the ’164 patent, only in the claims. However, in the Figure 3 embodiment, described supra, the mobile security device is described as effectively “a mobile internet gateway on behalf of the mobile device 310c.” Id. at 9 (citing Ex. 1001, 5:16–18). We further observed that the specification of the ’164 patent describes how the security administrator manages the mobile device by providing updates to the mobile security system. See, e.g., the following description of the Figure 3 embodiment from the ’164 patent: In this embodiment, because the security administrator 325 is capable of remotely communicating with the mobile security system 345b, IT can monitor and/or update the security IPR2019-00368 Patent 9,781,164 B2 11 policies/data/engines implemented on the mobile security system 345b. The security administrator 325 can centrally manage all enterprise devices, remotely or directly. Further, the security administrator 325 and mobile security systems 345 can interact to automatically translate enterprise security policies into mobile security policies and configure mobile security systems 345 accordingly. Because the mobile security system 345 may be generated from the relevant security policies of the enterprise 340, the mobile device 310c currently traveling may have the same level of protection as the devices 305/310 within the trusted enterprise 340. Institution Dec. 9 (quoting Ex. 1001, 5:30–44 (emphasis added)). Accordingly, for the reasons given, we were not persuaded by Patent Owner’s argument restricting the meaning of “security services” by excluding sending security information to the mobile device, as it was contrary to the description in the specification of the security administrator managing the security of the mobile device. Id. Patent Owner now contends in its Response that the term “should be given its plain and ordinary meaning.” PO Resp. 8. More specifically, Patent Owner contends the term should mean “the at least a portion of the security code, security policy, and security data, which are stored in the memory of the security system, cause the security system to initiate security services for a coupled mobile device.” Id. (emphasis added). In response, Petitioner urges the Board to “reject Patent Owner’s proposed construction.” Pet. Reply 6. Petitioner contends further that “[t]he prior art discloses this limitation under Patent Owner’s proposed construction.” Thus, the Board “does not need to construe this term.” Id. at 7. Consistent with our initial construction, Petitioner also contends “simply providing security information to a mobile device can provide a IPR2019-00368 Patent 9,781,164 B2 12 security service to the device.” Id. at 8. Petitioner contends, further, “[c]ontrary to Patent Owner’s position, therefore, the plain meaning of ‘service’ can include a server’s serving information to a client, especially where doing so is of help, use, or benefit to the client.” Id. at 10. For the reasons given in our Institution Decision, summarized supra, and those advanced by Petitioner (Pet. Reply 7–11), we find that the plain meaning of this term does not exclude distribution of security information to the mobile device, without more. This construction is further supported by testimony by Petitioner’s expert, Dr. Jakobsson. Jakobsson Supp. Decl. ¶ 17 (“For example, providing updated security information to the mobile device can protect it against newly identified threats, or configure it for securely connecting to new networks.” (citing Ex. 1001, 2:16–17)). It is also supported by the dictionary definitions of “service” provided by Petitioner. Pet. Reply 10 (citing, e.g., The Microsoft Internet & Networking Dictionary, defining “service” as including “a program or routine that provides support to other programs.”) Ex. 1014. For the reasons given, we agree with Petitioner and find that the plain meaning of “service” can include a server, such as that described in Groenendaal, providing information to a client, as doing so provides “support.” Pet. Reply 10. However, we also agree with Petitioner that, for reasons discussed infra, the prior art (particularly Groenendaal) discloses this limitation, even under Patent Owner’s proposed construction. 3. “being configured based on one or more policies implemented by the one or more IT administrators on the trusted enterprise network.” Prior to institution, neither party requested construction of this phrase. However, Patent Owner based its opposition to institution, in part, on the alleged failure of the references to disclose this feature. See Prelim. Resp. IPR2019-00368 Patent 9,781,164 B2 13 17–19. Thus, in our Institution Decision, we provided guidance on the construction of this term as necessary to our evaluation of this argument. Institution Dec. 10. This phrase appears in both claims 1 and 10, and refers to the implementation of policies by the IT administrators, “using an IT administrator system on a trusted network enterprise network.” Ex. 1001, 15:23–25, claim 1). In the Institution Decision, we observed that Patent Owner had implicitly construed this phrase in the Preliminary Response as requiring a first location on the trusted network where the “one or more policies” are “implemented,” and a second, separate location on the trusted network where configured security codes, security policies, and security data are stored. Institution Dec. 10 (citing Prelim. Resp. 17–18). We were not persuaded to accept this construction proposed by Patent Owner. Id. Thus, in our Institution Decision, we construed the phrase as requiring only that the policies be implemented by IT administrators “on the trusted network.” Id. at 11. That is, consistent with Figure 3 of the ’164 patent and the accompanying text, an IT administrator behind the firewall manages the security system. Id. (citing Ex. 1001, 5:30–44). We saw no need to further construe this term for purposes of our Institution Decision. Id. Patent Owner responds that “[t]he Board’s implicit construction for this term correctly recognized that the claims require one or more policies implemented by the IT administrators.” PO Resp. 15. Patent Owner agrees also that the Board’s initial construction “is consistent with Figure 3 of the ‘164 patent and the accompanying text.” Id. However, Patent Owner argues “the Board incorrectly determined that these policies implemented by the IT IPR2019-00368 Patent 9,781,164 B2 14 administrators could be the same as ‘the at least a portion of the security code, the at least a portion of the security policy, and the at least a portion of the security data’ that are configured based on the one or more implemented policies.” Id. (emphasis original). Thus, Patent Owner now proposes that this phrase “should be accorded its plain and ordinary meaning.” Id. at 14. More specifically, Patent Owner asserts “that the security policy, security code, and security data must be ‘configured based on one or more policies put into effect by one or more IT administrators operating on the trusted enterprise network.’” Id. (emphasis added). Petitioner urges us to “reject Patent Owner’s proposed construction.” Pet. Reply. 12. Petitioner contends there is no need to construe the term, as “the language of this limitation is readily understandable.” Id. Moreover, Petitioner contends “[t]he prior art discloses this limitation under Patent Owner’s proposed construction.” Id. After considering these arguments by Patent Owner and Petitioner, we disagree with Patent Owner’s construction. The claims do not require that the policies be “put into effect.” The claims require that they be “implemented.” We further discuss infra what this “implementation” entails. We reject, therefore, Patent Owner’s attempt to rewrite the claim language. Further, we disagree with Patent Owner that our construction “improperly conflates the ‘one or more policies implemented by the one or more IT administrators on the trusted enterprise network’ with the security code, security policy, and security data stored in the memory of the security IPR2019-00368 Patent 9,781,164 B2 15 system that must be configured based on the one or more policies implemented by the IT administrator.” PO Resp. 16. We acknowledge that the claims themselves identify separately (1) the security code, security policy, and security data “being managed” by the IT administrators, and (2) the “policies implemented” by the IP administrators. Compare Ex. 1001, 15:20–24 with 15:28–30. The ’164 patent specification, likewise, distinguishes between the security code, security policy, and security data and the policies implemented by the administrators. Thus, the specification describes an embodiment where the security code, security policy, and security data are “based on” IT decisions: In an embodiment where the mobile security system 345 supports multiple mobile devices 310, the security engines 530, security policies 535 and security data 540 may be different for each mobile device 310 (e.g., based on for example user preferences or IT decision). Ex. 1001, 10:25–29 (emphasis added). We, therefore, maintain the construction of this term provided in our Institution Decision. However, we agree with Petitioner that, for reasons discussed infra, the prior art (particularly the Groenendaal reference) discloses this limitation, even under Patent Owner’s construction. 4. “IT administrator system” Patent Owner proposes that this term “should be accorded its plain and ordinary meaning.” PO Resp. 6. By that, Patent Owner contends the term means “one or more computers separate and distinct from the security system and mobile device that functions to centrally manage and perform Information Technology (IT) services.” Id. Petitioner responds that the Board should reject Patent Owner’s proposed construction, “especially its argument that the ‘IT administrator IPR2019-00368 Patent 9,781,164 B2 16 system’ must be a computer that is ‘separate and distinct’ from the claimed ‘security system’ and ‘mobile device.’” Pet. Reply 2. We agree with Patent Owner that the IT administrator system is separate from the claimed security system and mobile device. This view is supported by the specification of the ’164 patent, and especially Figure 3, reproduced supra. See Microsoft Corp. v. Proxyconn, Inc., 789 F.3d 1292, 1300 (Fed. Cir. 2015): The language of the specification consistently refers to the sender/computer, receiver/computer, gateway, and caching computers as separate and independent components of an overall system. The figures of the ’717 patent separately identify and number each component of the system. And nowhere does the ’717 patent indicate that the gateway and caching computer are the same as, or can be subsumed within, the sender/computer and receiver/computer. Figure 3 of the ’164 patent shows security administrator 325 as separate from mobile security system 325b and mobile device 310c. Ex. 1001, Fig. 3. Figure 4 of the patent is described as “a block diagram illustrating details of an example computer system 400 of which . . . security administrator 325 may be an instance.” Id. at 6:34–38 (emphasis added). The computer system 400 of Figure 4, of which the security administrator system “may be an instance,” describes the typical components of a laptop computer, including a processor, a keyboard or mouse, a display, a disk storage device, and a random access memory. Id. at 6:38–47. In addition to this description of a separate laptop computer in the specification, the claims recite the IT administrator system as a separate element. Although not conclusive, this is additional evidence that the IT administrator system is separate. See Becton, Dickinson and Co. v. Tyco IPR2019-00368 Patent 9,781,164 B2 17 Healthcare Group, LP, 616 F.3d 1249, 1254 (Fed. Cir. 2010) (“Where a claim lists elements separately, the clear implication of the claim language is that those elements are distinct components of the patented invention.”) (citations omitted) (internal quotes and alterations omitted). We decline, however, to adopt Patent Owner’s further proposal that would require, as a matter of claim construction, that the IT administrator “functions to centrally manage and perform Information Technology (IT) services.” PO Resp. 6. The role of the IT administrator system is already spelled out in the claims. Ex. 1001, 15:20–30 (claim 1); 16:21–31 (claim 10). The further construction proposed by Patent Owner is, therefore, unnecessary. Nor do we agree with Patent Owner’s assertion, in its Sur-reply, that the IT administrator system must be “remote” from the security system. PO Sur-reply 6. The claims do not require the IT administrator to be “remote.” Patent Owner’s evidentiary support for this new argument does not pertain to the IP administrator system. Instead, the argument is based on claim language referring to a “remote management code configured to process an update command” and to references in the specification to “remote management module 550.” Id. (citing Ex. 1001, 10:33–39). These refer to code that remotely manages mobile devices, not the IT administrator. See Hearing Tr. 57:9–13. Finally, we do not agree with Patent Owner that the IT administrator system must be a computer, i.e., hardware. PO Resp. 6–7; PO Sur-reply 7– 8. The claims refer to a “system,” not a computer. While the embodiment described in the ’164 patent is a separate laptop computer, the ’164 patent also states: “The various embodiments set forth herein may be implemented IPR2019-00368 Patent 9,781,164 B2 18 utilizing hardware, software, or any desired combination thereof.” Ex. 1001, 14:58–60. We, therefore, agree with Petitioner and find that the IT administrator system can also be software. Pet. Reply 6. C. Description of the Prior Art References 1. Groenendaal Groenendaal describes a wireless agent for a mobile device. Ex. 1003, Abstract. In one embodiment, the wireless agent is operable to dynamically determine an access point for wireless communications from a mobile device through a network. Id. The wireless agent is further operable to automatically select one of a plurality of security profiles associated with a mobile device based, at least in part, on the determined access point. Id. Each security profile includes a plurality of security parameters for accessing a wireless network. The wireless agent then modifies at least one of a plurality of network configuration options of the mobile device based on the selected security profile, and automatically attempts to connect the mobile device to the access point using the network configuration options. Id. IPR2019-00368 Patent 9,781,164 B2 19 Petitioner relies on Figure 1 of Groenendaal, which follows: Pet. 9. Figure 1 shows security management system 100 including server 102 and enterprise network 112. Ex. 1003 ¶ 16. The server includes security manager 130 and configuration manager 132. Id. ¶ 20. The server also includes memory 120 that stores security profiles 150 and configuration profiles 152. Id. ¶ 17. The security system provides security services to mobile clients 104 (e.g., 104b, 104c, and 104d). Id. ¶ 14. For example, an administrator manages and updates the security profiles and configuration profiles using GUI (graphical user interface) 116 on laptop 104a. Id. ¶¶ 27, 28. The IPR2019-00368 Patent 9,781,164 B2 20 configurable and updatable security policies relate to firewall settings, intrusion detection, file sharing, network authentication, and allowed and disallowed network access points, among other security services. Id. ¶¶ 57– 60, Figs. 4–6. 2. Wright Wright discloses protecting data on a client mobile computing device by a server computer within an enterprise network or on a separate mobile computing device. Ex. 1004, Abstract. Wright describes security tools that provide different security policies to be enforced, based on a location associated with a network environment in which a mobile device is operating. Id. Wright also describes methods for detecting the location of the mobile device. Id. The security tools in Wright also provide for enforcing different policies based on security features such as the type of connection (e.g., wired or wireless) over which data is being transferred, the operation of anti-virus software, or the type of network adapter card. Id. The different security policies provide enforcement mechanisms that may be tailored based upon the detected location or active security features associated with the mobile device. Id. IPR2019-00368 Patent 9,781,164 B2 21 Petitioner relies on Figure 2A of Wright, which follows: Pet. 38. Figure 2A shows server system 200 that includes memory 242. Ex. 1004 ¶¶ 53–54. Memory 242 stores security policies and other security information. Id. ¶ 110. The server includes policy management module 236, which manages security policies. Id. ¶ 55. The security system provides security services to remote mobile client devices. Id. ¶ 53. A system administrator manages and updates security policies using user interface module 240, which may display a GUI. Id. ¶ 127; see also Figs. 5B–F, ¶¶ 188–192. Policy management module 236 manages security policies. Id. ¶¶ 55–59. The policy management module manages one or more of the client devices for security purposes. Id. ¶ 110. The configurable and updatable security policies relate to data protection, data accessibility rights, data visibility rights, location detection, allowable IPR2019-00368 Patent 9,781,164 B2 22 network access point connections, and malware detection, among other security services. Id. ¶¶ 53–54, 73, 110, 127, 133, 169, 186–192, Figs. 5A– F. IV. ANALYSIS OF THE CHALLENGED CLAIMS The Petition challenges claims 1–7, 9–16, and 18 of the ’164 patent. Petitioner asserts unpatentability of the claims based on obviousness. 1. Obviousness A claim is unpatentable under 35 U.S.C. § 103(a) if the differences between the claimed subject matter and the prior art are such that the subject matter, as a whole, would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The question of obviousness is resolved on the basis of underlying factual determinations, including (1) the scope and content of the prior art; (2) any differences between the claimed subject matter and the prior art; (3) the level of skill in the art; and (4) where present, so-called “secondary considerations,” including commercial success, long-felt but unsolved needs, failure of others, and unexpected results. Graham v. John Deere Co., 383 U.S. 1, 17–18 (1966) (“Graham factors”). Patent Owner presents evidence on the fourth Graham factor. PO Resp. 38–41. We, therefore, consider secondary considerations infra. 2. Groenendaal Challenge (Claims 1–7, 9–16, and 18) Petitioner contends claims 1–7, 9–16, and 18 are “obvious . . . in light of Groenendaal.” Pet. 8. As mentioned above, claims 1 and 10 are independent. We begin our discussion with claim 1. IPR2019-00368 Patent 9,781,164 B2 23 a. Claim 1 Petitioner’s analysis of claim 1 in relation to Groenendaal appears at pages 8–29 of the Petition. Petitioner supports its analysis with testimony from its expert, Dr. Jakobsson. Jakobsson Decl. ¶¶ 55–88. We find Petitioner’s analysis and Dr. Jakobsson’s testimony persuasive and we therefore find that Groenendaal teaches or suggests each element of claim 1. Our reasoning follows. Petitioner provides persuasive evidence that each element of claim 1 is disclosed or suggested by Groenendaal. For example, the claim 1 preamble calls for a “security system.” Petitioner contends this element is found in Groenendaal’s server 102. Pet. 10 (citing Fig. 1 supra; Ex. 1003 ¶¶ 16, 20); Jakobsson Decl. ¶ 55. Patent Owner does not dispute this evidence. We find that Groenendaal describes such a security system. We do not find it necessary to decide whether the preamble is limiting. Claim 1 calls also for “a security system processor configured to: store in the security system memory at least a portion of security code, at least a portion of a security policy, and at least a portion of security data.” See claim elements 1.2, 1.3.3 Petitioner contends this limitation is met in Groenendaal’s disclosure of memory 120 storing security profiles 150 and configuration profiles 152. Pet. 11 (citing Ex. 1003 ¶¶ 21, 23). We find, for the reasons given by Petitioner, including those summarized supra, that these elements of claim 1 (element 1.1, element 1.2, and element 1.3) are taught or suggested by Groenendaal. Pet 10–13; Jakobsson Decl. ¶¶ 56–65. 3 References to claim elements in this section and following use the paragraph numbering added to the claim in Section I.E, supra. IPR2019-00368 Patent 9,781,164 B2 24 Claim 1 further calls for “the at least a portion of the security code, the at least a portion of the security policy, and the at least a portion of the security data configured to provide security services to a mobile device coupled to the security system, the mobile device having at least one mobile device processor different than the security system processor of the security system.” See claim element 1.4, supra. Petitioner contends this limitation is met by Groenendaal: “Groenendaal discloses that clients 104 have ‘one or more processors’ different than the processor of server 102 (security system). . . . A [person of ordinary skill] will understand that this is necessarily and inherently the case because clients 104 and server 102 are different devices.” Pet. 14 (citing Ex. 1003 ¶¶ 20, 27, Fig. 1; Jakobsson Decl. ¶ 66). Furthermore, claim 1 requires: the at least a portion of the security code, the at least a portion of the security policy, and the at least a portion of the security data being managed by one or more information technology (IT) administrators using an IT administrator system on a trusted enterprise network, the at least a portion of the security code, the at least a portion of the security policy, and the at least a portion of the security data being configured based on one or more policies implemented by the one or more IT administrators on the trusted enterprise network. See claim element 1.5, supra. Petitioner contends this element is met by Groenendaal’s disclosure of an IT administrator using GUI 116 to update the system’s connection, security, and firewall profiles. Pet. 17–18. Further, Petitioner contends “Groenendaal discloses that the security code, security policy, and security data described above are configured based on one or more policies implemented by the IT administrator on the trusted enterprise network. . . .” Id. at 20. Still further, “Groenendaal also discloses that the IPR2019-00368 Patent 9,781,164 B2 25 configuration profile and security profiles, which reflect the administrator’s policies, are implemented on the security manager and configuration manager on the server 102 on the trusted network.” Id. at 20–21 (citing Ex. 1003, Fig. 1, ¶¶ 20, 21, 23). These assertions are challenged by Patent Owner and will be discussed in greater detail infra. Petitioner provides similar element-by-element analyses for remaining limitations 1.6, 1.7, and 1.8 of claim 1. Pet. 21–29. For example, claim element 1.6 calls for an “update command, the update command being an instruction to update at least one of the security code, the security policy, or the security data based on one or more revised policies implemented by the one or more IT administrators on the trusted enterprise network.” Petitioner contends this element is disclosed by Groenendaal: “Groenendaal discloses that the IT administrator may use a GUI, described above, to update a security policy. The GUI includes a ‘Finish’ button for the IT administrator to update a security policy by issuing a ‘Finish’ command.” Pet. 21 (citations omitted). Petitioner relies on this disclosure also to meet claim elements 1.7 and 1.8, which call, respectively, for receiving and executing the update command. Id. at 25–30. We find, for the reasons given by Petitioner, including those summarized supra, that these remaining elements of claim 1 (elements 1.6, 1.7, and 1.8) are taught or suggested by Groenendaal. Pet 21–29; Jakobsson Decl. ¶¶ 77–88. Patent Owner’s response mainly focuses on the claim construction issues discussed supra, and on Petitioner’s analysis of claim limitations 1.4 and 1.5. PO Resp. 17–27. Patent Owner makes two main arguments. First, Patent Owner contends Groenendaal does not teach or suggest a security IPR2019-00368 Patent 9,781,164 B2 26 system storing a security policy, security code, and security data that provides security services to a mobile device (element 1.4, the “security service” limitation). Id. at 17–22. Second, Patent Owner contends Groenendaal fails to teach or suggest the claimed IT administrator system (element 1.5, the “IT administrator system” limitation). Id. at 22–27. We discuss these in turn. i. The Security Service Limitation Petitioner contends this limitation is met by Groenendaal. Pet. 15 ( “A [person of ordinary skill] will understand that the security code, policy, and data . . . is used by server 102 to provide security services to mobile clients 104.”). See also discussions supra. Petitioner states further: “Groenendaal discloses that such security code, policy, and data (other than the firmware and the security manager) define the security profile 150 and configuration profile 152, which are used by security manager 130 and configuration manager 132 to provide security services.” Pet. 16 (citing Ex. 1003, ¶¶ 57–60, 21, 23; Jakobsson Decl. ¶ 68). Patent Owner responds that Petitioner fails to demonstrate that the security system in Groenendaal “provides security services to a mobile device.” PO Resp. 17–22. As Patent Owner states: “A [person of ordinary skill] would understand that simply pushing security profiles to the mobile device does not satisfy this claim element because those security profiles would only protect the mobile device when executed on the mobile device by the mobile device processor.” Id. at 20. Further, Patent Owner asserts: “All of the examples of purported security policies, security data, and security code that Dr. Jakobsson relies upon are implemented by the mobile IPR2019-00368 Patent 9,781,164 B2 27 device and do not, therefore, provide security services to the mobile device while stored on the security system.” Id. Patent Owner’s assertion is based on its proposed construction of “provide security services” that we did not adopt. See discussion supra. Thus, we are not persuaded by Patent Owner’s argument that management of clients 104 by the IT administrator in Groenendaal does not meet the requirement of providing services to the mobile device. See Ex. 1003 ¶ 14. We are persuaded instead by Petitioner’s evidence that this limitation is met by Groenendaal, summarized supra, and, based on the proper claim construction, we find Petitioner demonstrates that Groenendaal teaches or suggests this limitation. Pet. 14–17; Pet. Reply 13–17; Jakobsson Decl. ¶¶ 66–69; Jakobsson Supp. Decl. ¶¶ 16–21, 29–37. We find that distributing security profiles that enable the mobile devices to access the network in Groenendaal is a service provided to the mobile device within the meaning of the claims as properly construed. Pet. Reply 14; Jakobsson Supp. Decl. ¶ 32. In addition, we find that sending security profile updates to the security profiles is another service provided by server 102 in Groenendaal. Ex. 1003 ¶¶ 14, 18; Jakobsson Supp. Decl. ¶¶ 32–33. Also, we find that the security service limitation is met when server 102 in Groenendaal provides the mobile devices with security profiles “tailored” for a particular client or user. Ex. 1003 ¶¶ 14, 18; Jakobsson Supp. Decl. ¶ 34. It is also met because security manager 130 may also activate, update, or replace security profiles on the mobile device. Ex. 1003 ¶ 21; Jakobsson Supp. Decl. ¶ 34. We find, therefore, that Groenendaal’s server 102 provides the claimed “security services to a mobile device.” Jakobsson Supp. Decl. ¶ 35. IPR2019-00368 Patent 9,781,164 B2 28 We further find that even under Patent Owner’s proposed construction, this limitation would be met by Groenendaal. As Petitioner explains, Groenendaal is not limited to “pushing” security profiles to mobile devices. Pet. Reply 16–17. For example, Groenendaal also describes commanding mobile devices to perform certain actions as well as enforcement of security policies. Pet. Reply 16–17; Ex. 1003 ¶¶ 14, 21; Jakobsson Supp. Decl. 36–37; Pet. 15–17. We find that by engaging in these activities, Groenendaal is providing security services to the mobile devices, even under Patent Owner’s claim construction. In summary, we are not convinced by Patent Owner’s argument that “simply pushing security profiles to the mobile device does not satisfy this claim element because those security profiles would only protect the mobile device when executed on the mobile device by the mobile device processor.” PO Resp. 20 (citing Medvidovic Decl. ¶ 76); Jakobsson Supp. Decl. ¶ 35. Nor are we convinced that “simply pushing profiles to the mobile device” (PO Resp. 20) is an accurate presentation of Groenendaal’s teachings. We are more persuaded by Petitioner’s showing that Groenendaal performs other activities in support of the mobile devices, and we therefore find that server 102 in Groenendaal provides a broad range of security services to mobile clients 104 within the meaning of the claims, even as construed by Patent Owner. Pet. 14–17. For at least these reasons we find that the security service limitation is met by Groenendaal, either under our construction or that of Patent Owner. ii. The IT Administrator System Limitation Petitioner contends Groenendaal discloses the claimed IT administrator system. Pet. 17. Groenendaal discloses that the IT IPR2019-00368 Patent 9,781,164 B2 29 administrator may use a “graphical user interface (GUI)” 116 to interface with system 100. Id. at 17–18 (citing Ex. 1003 ¶¶ 22, 28). See also discussions of Groenendaal, supra. The Petition also states: “The IT administrator may use the GUI to update the system’s connection profiles, security profiles, and firewall profiles, among other tasks.” Id. at 18. Patent Owner denies that Groenendaal discloses “one or more policies implemented by the IT administrator on the trusted enterprise network.” PO Resp. 24. Patent Owner explains: “Petitioner does not point to any evidence (there is none) that ‘the administrator’s policies’ are implemented anywhere or that ‘the at least a portion of the security code, the at least a portion of the security policy, and the at least a portion of the security data’ being ‘configured based on one or more policies implemented by the one or more IT administrators on the trusted enterprise network.’” Id. In addition, Patent Owner contends “a [person of ordinary skill] would understand that the claimed IT administrator system is separate and distinct from the mobile devices that it manages.” Id. at 25 (citing Medvidovic Decl. ¶ 85). According to Patent Owner, Petitioner “conflates” the claimed mobile device and IT administrator system. Id. We are persuaded by Petitioner’s evidence, summarized supra and discussed further below, and therefore find that this limitation is met by Groenendaal’s disclosure of the IT administrator using GUI 116 to update the system’s connection, security, and firewall profiles on the trusted network. Pet. 17–21; Pet. Reply 17. Groenendaal’s “security policies” are stored in memory 120 as part of security profiles 150 and configuration profiles 152. Ex. 1003 ¶ 14; Jakobsson Supp. Decl. ¶ 38. These stored policies reflect the administrator’s input into GUI 116. Ex. 1003 ¶ 28 (“GUI IPR2019-00368 Patent 9,781,164 B2 30 116 comprises a graphical user interface operable to allow . . . an administrator or other authorized user of the system to interface with at least a portion of system 100 for any suitable purpose”); Jakobsson Supp. Decl. ¶ 38. Thus, we find that the stored policies meet the language of the claim calling for “the at least a portion of the security code, the at least a portion of the security policy, and the at least a portion of the security data being configured based on one or more policies implemented by the one or more IT administrators on the trusted enterprise network.” Pet. 20–21; Jakobsson Decl. ¶ 76; Jakobsson Supp. Decl. ¶ 38. Examples of the implementation include: the administrator using the “enable firewall” GUI option (Ex. 1003 ¶ 59, Fig. 8D), and the administrator configuring security data based on the administrator’s policies regarding what access points are valid and what IP addresses are allowed or forbidden from Internet sharing (Ex. 1003 ¶¶ 19, 58–59, Figs. 7D, 8J). Pet. 20; Jakobsson Decl. ¶ 76; Jakobsson Supp. Decl. ¶ 39 Other examples include configuring the security code “$SSID$==‘JFKWIRELESS’” based on the administrator’s policies regarding “what access points are valid” (Ex. 1003 ¶ 19) and configuring the security manager by configuring the security profiles that define its behavior (Ex. 1003 ¶¶ 21, 57–60). Pet. 20; Jakobsson Decl. ¶ 76; Jakobsson Supp. Decl. ¶ 39. Patent Owner contends that Petitioner has not shown that these “policies” meet this limitation because they constitute “thoughts of a human actor.” PO Sur-reply 15. We disagree with this characterization of Petitioner’s argument. The issue was explored with Petitioner’s counsel at the oral argument, where counsel made a distinction between the IPR2019-00368 Patent 9,781,164 B2 31 administrator’s thoughts and the policies that are implemented by entering instructions through the GUI: [PETITIONER’S COUNSEL]: The distinction is that if the IT administrator just thinks, okay, employees need to block social media and does nothing more, that has not been implemented. To be implemented the administrator has to do, for example, what is disclosed in Groenendaal, go to the graphic user interface and enter the right parameters to enforce that policy, and then hit the finish button, if we’re talking about Groenendaal. And then doing that would implement the policy in the company. Hearing Tr. 20:1–7. Patent Owner’s counsel responded that Petitioner “cannot point to any IT administrator policies. This whole notion about it being in the head of the IT administrator is insufficient.” Id. at 27:16–18. We are not convinced by Patent Owner’s argument. Instead we find, as discussed supra, that Petitioner has identified in Groenendaal several security policies implemented by the IT administrator by entering them on GUI 116 and stored in memory 120. Pet. 11–12, 18–21; Pet. Reply 18–19. For example, in addition to the above, Groenendaal describes the administrator entering security settings reflecting allowed and disallowed access points. Pet. 12 (citing Ex. 1003 ¶ 58; Fig. 7D). Similarly, Groenendaal describes the administrator entering security settings reflecting IP addresses allowed and forbidden from Internet sharing. Pet. 12 (citing Ex. 1003 ¶ 59, Fig 8J). Also, Groenendaal describes the administrator using GUI 116 to enter firewall settings allowing the user to allow or block programs from inward and outward traffic. Pet. Reply 18–19; Ex. 1003 ¶¶ 59–60; Figs. 8F, 9B. We find Patent Owner’s further arguments on this issue unavailing. For example, we have considered Patent Owner’s argument distinguishing “policies implemented by the IT administrator” from the claimed “security IPR2019-00368 Patent 9,781,164 B2 32 policies.” PO Resp. 22–24. Patent Owner argues: “Specifically, Petitioner does not assert that Groenendaal teaches any ‘policies implemented by the IT administrator’ that are distinct from the purported ‘security policies.’” Id. at 22. We are not convinced by this argument. We understand Petitioner to be arguing that the policies are implemented when entered into the administrator system through the GUI. See, e.g., Pet Reply 18 (“Groenendaal’s IT administrator’s policies, by contrast, are the IT administrator’s decisions and rules about security, which the IT administrator uses to provide appropriate input to GUI 116 in order to implement those policies on client computers 104.”). Petitioner’s evidence thus distinguishes between security policies that are implemented and ultimately stored in memory as “security profiles” and “configuration profiles” and those that are not implemented. Pet. Reply 17. We find this to be consistent with the description in the ’164 patent that describes the mobile security system as being “generated from the relevant security policies of the enterprise.” Ex, 1001, 5:39–41. As explained further by Petitioner’s counsel at the hearing: “[W]hat the claim language is describing, that there are certain -- there are policies. Some may be implemented, some may not be.” Hearing Tr. 20:9–11. We are not convinced by Patent Owner’s related argument that the “policies implemented by the one or more IT administrators on the trusted network” must be stored in security system memory beforehand. PO Resp. 8. Neither the claims nor the specification supports this argument. The claims describe “at least a portion of the security code, security policy, and security data” as “stored in the memory of the security system.” Separately, the claims recite “one or more policies implemented by the one IPR2019-00368 Patent 9,781,164 B2 33 or more IT administrators on the enterprise trusted network,” on which the security policies are “based.” Consistent with this claim language, we find that there is a distinction between policies implemented by the IP administrators and the “security code, security policy, and security data” described in the claim as “stored in the memory of the computer system.” See discussion supra. We address also Patent Owner’s argument that Petitioner “conflates” the mobile device and the IT administrator system in Groenendaal. PO Resp. 25. We are not persuaded by this argument. Patent Owner bases this argument on the fact that both client computers 104a and 104c in Groenendaal have GUIs. Patent Owner contends these systems are therefore not “two separate systems.” Id. at 26. Figure 1 of Groenendaal, reproduced supra, shows devices 104a and 104c as separate computers. We find no support for Patent Owner’s argument that device 104a (depicted in Figure 1 as a laptop computer connected to server 102 by wireline or wireless link 111) is not “separate” from the other mobile devices the network because other mobile devices also have GUIs. PO Resp. 25–27. As Petitioner points out, “a mobile device does not stop being a mobile device merely because it includes a certain GUI.” Pet. Reply 21; Jakobsson Supp. Decl. ¶ 44. Nor do we see any merit in Patent Owner’s argument that the IT administrator in Groenendaal is not a separate “system” from server 102 because it is merely an “interface.” Sur-reply 1; Hearing Tr. 28:5–7. The argument fails because the GUI is an input device to laptop computer 104a, as shown in Figure 3 of Groenendaal. Ex. 1003 ¶ 27. This laptop computer is described as “compris[ing] an electronic computing device operable to IPR2019-00368 Patent 9,781,164 B2 34 receive, transmit, process and store any appropriate data associated with system 100.” Id. We therefore find that this description contradicts Patent Owner’s argument that the GUI is just an interface to system 100 and demonstrates that the laptop computer is itself a “system” and not merely an input device. See Pet. Reply 5 (citing Exs. 1010, 1011, defining “system”). For at least these reasons we find that Petitioner has demonstrated the IT administrator system limitation is met by Groenendaal. In sum, we have considered Petitioner’s analysis of these elements 1.4. and 1.5 as well as the remaining elements of claim 1 in relation to Groenendaal. Taking into account Petitioner’s evidence and Patent Owner’s response, we are persuaded that Petitioner has demonstrated by a preponderance of the evidence that Groenendaal teaches or suggests each element of claim 1. b. Claim 10 For its challenge to claim 10 based on Groenendaal alone, Petitioner adopts its analysis of claim 1. Pet. 34–35. Patent Owner does not distinguish between claim 1 and claim 10 in its response. PO Resp. 17. We find, therefore, that the above analysis of claim 1 applies equally to claim 10. Accordingly, for the reasons given for claim 1, we find that Petitioner has also demonstrated by a preponderance of the evidence that Groenendaal teaches or suggests each element of claim 10. c. Claims 2–7, 9, 11–16, and 18 Claims 2–7 and 9 depend directly from claim 1. Claims 11–16 and 18 depend directly from claim 10. The two sets of dependent claims are parallel, and each set provides the same or similar additional features to the claims from which they depend. Claim 2, for example, specifies that the IPR2019-00368 Patent 9,781,164 B2 35 security system “is on a separate appliance removably coupled to the mobile device.” Claim 11 calls for “coupling the security system to the mobile device.” Petitioner identifies server 102 and mobile device 104b as meeting these limitations. Pet. 30, 35. Petitioner provides an element-by-element analysis of each of these dependent claims in relation to Groenendaal. Pet. 30–33, 35–36. Patent Owner relies on its response to claims 1 and 10, and does not respond separately to Petitioner’s analysis of these dependent claims. We are persuaded by Petitioner’s analysis of these claims in relation to Groenendaal. Pet 30–33, 35–36; Jakobsson Decl. ¶¶ 89–102, 110–118. Accordingly, for the reasons given for claims 1 and 10, and the additional reasons provided by Petitioner and Dr. Jakobsson, we find that Petitioner has demonstrated by a preponderance of the evidence that Groenendaal teaches or suggests each element of claims 2–7, 9, 11–16, and 18. d. “Objective Indicia of Non-obviousness” Patent Owner asserts that the patentability of the challenged claims is supported by “objective indicia” (also called “secondary considerations”) of nonobviousness, including long-felt need, failure of others, and skepticism by experts in the industry. PO Resp. 39–41. See Graham, 383 U.S. at 17– 18. Before reaching a decision on obviousness, we must weigh these secondary considerations. In re Cyclobenzaprine Hydrochloride Extended- Release Capsule Patent Litig., 676 F.3d 1063, 1075–76 (Fed. Cir. 2012). “The patentee bears the burden of showing that a nexus exists.” Fox Factory, Inc. v. SRAM, LLC, 944 F.3d 1366, 1373 (Fed. Cir. 2019) (quoting WMS Gaming Inc. v. Int’l Game Tech., 184 F.3d 1339, 1359 (Fed. Cir. 1999)). To determine whether the patentee has met that burden, we consider IPR2019-00368 Patent 9,781,164 B2 36 the correspondence between the objective evidence and the claim scope. Fox Factory, Inc., 944 F.3d at 1373 (citation omitted). Patent Owner cites no testimonial evidence in support of its assertions of secondary considerations, but relies instead on statements in the ’164 patent itself, as well as two publications: one, a Technology News article (Ex. 2007); the other. a Forrester report (Ex. 2008). According to Patent Owner, these show “[t]he industry confirmed that there was a long recognized problem with regard to mobile security that others failed to solve.” PO Resp. 39. Further, Patent Owner asserts “the recognition of a problem, long-felt need, and failure by others all demonstrate that the ‘164 Patent was not obvious.” Id. at 40. Patent Owner further asserts: “The industry also expressed skepticism as to the capabilities of [mobile device management] solutions that existed in 2013.” Id. at 41 (citing Ex. 2007, the Technology News article). Patent Owner makes no attempt to relate these statements to the ’164 patent claims. Petitioner responds that this evidence “should be given no weight.” Pet. Reply 28. Petitioner asserts “Patent Owner has not established a nexus between its cited secondary considerations evidence and the merits of ’164 patent’s challenged claims (as opposed to mobile security or network security generally).” Id. We agree with Petitioner that Patent Owner has failed to establish the required nexus to its claims. “In order to accord substantial weight to secondary considerations in an obviousness analysis, the evidence of secondary considerations must have a nexus to the claims, i.e., there must be a legally and factually sufficient connection between the evidence and the IPR2019-00368 Patent 9,781,164 B2 37 patented invention.” Fox Factory, Inc., 944 F.3d at 1373 (internal quotes omitted). We agree also that Patent Owner has not provided convincing evidence supporting the existence of such objective indicia. To demonstrate long felt need, a patentee must point to an “articulated identified problem and evidence of efforts to solve that problem which were, before the invention, unsuccessful.” Tex. Instruments v. Int’l Trade Comm’n, 988 F.2d 1165, 1178 (Fed. Cir. 1993). Patent Owner’s reliance on generalities fails to provide us with persuasive evidence of an “articulated identified problem,” much less evidence of failed efforts to solve that problem. For example, Patent Owner relies on statements in the ’164 patent that an industry conference in December 2005 “highlighted” mobile security, and “no complete solutions were presented.” PO Resp. 39 (citing Ex. 1001, 2:27– 31). Patent Owner provides no further details on this conference. Patent Owner also cites a news article referring generally to “employees using devices for personal purposes” to show “higher risk of security issues.” Id. at 40 (citing Ex. 2007). We have considered this evidence and do not find it sufficiently detailed or specific to convince us of the existence of a long felt need that others failed to meet. Similarly, Patent Owner has produced no testimony from experts expressing industry skepticism. Instead, Patent Owner again relies on generalized statements from a news article concerning the need for “data encryption and antimalware software” and statements in its own patent. PO Resp. 41. See In re Magna Electronics, Inc., 611 Fed.Appx. 969, 973 (Fed. Cir. 2015) (“Nor can Magna substantiate its claim of skepticism of experts. IPR2019-00368 Patent 9,781,164 B2 38 As we have noted, such arguments often require a showing of technical infeasibility or manufacturing uncertainty.”) We find that, for the reasons given, Patent Owner’s evidence of secondary factors is insubstantial and unconvincing, and we therefore give it minimal weight in considering the obviousness of the challenged claims. e. Summary Having considered the submissions of the parties and the full trial record as a whole, including Patent Owner’s proofs of alleged secondary considerations, we determine that Petitioner has demonstrated by a preponderance of the evidence that the challenged claims of the ’164 patent would have been obvious to a person of ordinary skill in view of Groenendaal. 2. Other Challenges As noted above, Petitioner also contends that claims 1–6, 9–15, and 18 would have been obvious in light of Wright and claims 1–7, 9–16, and 18 would have been obvious in light of Groenendaal and Wright, combined. Because we find that Petitioner has demonstrated claims 1–7, 9–16, and 18 would have been obvious in light of Groenendaal alone, is it unnecessary for us to reach the remaining grounds of unpatentability proposed by Petitioner. Cf. In re Gleave, 560 F.3d 1331, 1338 (Fed. Cir. 2009) (not reaching other grounds of unpatentability after affirming a ground based on anticipation); see also Beloit Corp. v. Valmet Oy, 742 F.2d 1421, 1423 (Fed. Cir. 1984) (an administrative agency is at liberty to reach a decision based on a dispositive issue). IPR2019-00368 Patent 9,781,164 B2 39 IV. CONCLUSION Based on the arguments and evidence presented during trial, Petitioner has demonstrated by a preponderance of the evidence that claims 1–7, 9–16, and 18 of the ’164 patent are unpatentable under 35 U.S.C. §103.4 A summary of our conclusions is set forth in the table reproduced below. 4 Should Patent Owner wish to pursue amendment of the challenged claims in a reissue or reexamination proceeding subsequent to the issuance of this decision, we draw Patent Owner’s attention to the April 2019 Notice Regarding Options for Amendments by Patent Owner Through Reissue or Reexamination During a Pending AIA Trial Proceeding. See 84 Fed. Reg. 16,654 (Apr. 22, 2019). If Patent Owner chooses to file a reissue application or a request for reexamination of the challenged patent, we remind Patent Owner of its continuing obligation to notify the Board of any such related matters in updated mandatory notices. See 37 C.F.R. § 42.8(a)(3), (b)(2). 5 As explained above, because we find that Petitioner has demonstrated that claims 1–7, 9–16, 18 are obvious in light of Groenendaal, is it unnecessary for us to reach the remaining grounds of unpatentability proposed by Petitioner. In re Gleave, 560 F.3d at 1338. Claims 35 U.S.C. § Reference(s) Claims Shown Unpatentable Claims Not shown Unpatentable 1–7, 9–16, 18 103 Groenendaal 1–7, 9–16, 18 1–6, 9–15, 18 1035 Wright 1–7, 9–16, 18 103 Groenendaal, Wright Overall Outcome 1–7, 9–16, 18 IPR2019-00368 Patent 9,781,164 B2 40 V. ORDER Upon consideration of the record before us, it is: ORDERED that claims 1–7, 9–16, and 18 of the ’164 patent are determined to be unpatentable; FURTHER ORDERED that because this is a Final Written Decision, parties to this proceeding seeking judicial review of our decision must comply with the notice and service requirements of 37 C.F.R. § 90.2. PETITIONER: Robert Buergi James M. Heintz DLA Piper LLP robert.buergi@dlapiper.com jim.heintz@dlapiper.com PATENT OWNER: James Hannah Jeffrey H. Price Michael Lee KRAMER LEVIN NAFTALIS & FRANKEL LLP jhannah@kramerlevin.com. jprice@kramerlevin.com mhlee@kramerlevin.com Copy with citationCopy as parenthetical citation